ELK Stack on Kubernetes Architecture

I want to deploy ELK stack on Kubernetes for monitoring logs stored in Persistant Volume in the Kubernetes namespace. Logs are generating from different nodes, but are stored at the same place in Persistant Volume. What would be the best architecture to deploy ELK stack to monitor those logs.

Currently this is the architecture which I am using :

• I have deployed Filebeat instance in a Pod in StatefulSet that collects logs from the PV and send it to Logstash. Only 1 Filebeat pod is running.

• Logstash instance is also running in a Pod in StatefulSet and transfer these logs to Elasticsearch. Only 1 Logstash pod is running.

• Elastic Search and Kibana is already running on some other cluster, so I don't have to worry about it.

I want to know if there is any other efficient way in which the Filebeat and Logstash instance can be deployed on Kubernetes. Is there any way in which 2 or more than 2 Filebeat instance could pick up logs from the same location and load balance among them?

I have already read about Load Balancing in Logstash, but want to achieve it at Filebeat level too.

Also, I want to make the Filebeat and Logstash Highly Available, so what are the best possible way to achieve it?

Hi!

I think you could try to create 2 or 3 different configurations and have 2,3 or more Filebeat instances on top of each to collect from different log files from the PV. For instance:

Filebeat1 to collect from /var/log/part1/...
Filebeat2 to collect from /var/log/part2/...
Filebeat3 to collect from /var/log/part3/...

Other than that I think that you solution looks quite good and as far as HA is concerned I would say it is already achieved in Filebeat's level since you deploy it as stateful set and in case the Pod crashes it will be immediately restarted by k8s and keep collecting from where it was left.

C.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.